It should come as no surprise by now that with advances in technology, the frequency of data loss and breaches is on the rise. It’s not just HIPAA breaches, either. Data breaches in general are big business both for thieves and those fighting and prosecuting them. This is especially true in the case of mobile technology – laptops, smartphones and other small devices – that can be easily misused, lost or stolen. Unfortunately, medical providers have been slow to adopt security protocols and response measures against inappropriate data disclosure and theft. What can you do to protect your organization, its mobile devices and data?
What controls do you have in place around electronically stored information? What mobile devices are in use (officially and unofficially) and what controls do you have in place regarding the use of those mobile devices? Where are the gaps or holes? Who is data shared with – (i.e., business associates, contractors)? What is your level of staff training and awareness regarding the risks of technology and mobile devices? Do you have coverage under insurance policies for data breaches and technology loss or theft? How can you strengthen or improve your policies, procedures and practices?
Fire Departments do extensive pre-planning for evacuation and fire suppression of large buildings within their communities; EMS services plan and drill for mission-critical incidents and large-scale disaster responses; and hospitals and health systems develop comprehensive plans for public health emergencies. But when it comes to implementing and integrating new technology into an organization, the pre-planning function is often overlooked. Before implementing any new technology, create a strategic plan for that technology’s use and integration, including why it’s beneficial to the organization’s overall mission, what other existing or new technology it interfaces with, who will have access to and use it, and how it will be managed, maintained and protected, and by whom.
Whether large or small, your organization will be held to the same standards as mega companies with mega-budgets when it comes to data security.
You have a fiduciary obligation to preserve the data your organization generates, whether that is business data or patient data. Employ and enable software that allows you to remotely locate and wipe data from mobile devices. Implement email archiving, data backup, and remote storage policies and procedures, and make sure that mobile devices are included in those policies. Enable software access audit logs wherever possible, and set the audit log capture to no less than six months, ideally longer. And, have a plan and means to locate and capture all relevant data within your organization in the case of legal action, such as an investigation or lawsuit.
Know and document what you are required to maintain by law and what additional information you want to retain for your business. This includes knowing how and where your data is located (data mapping), identifying who has access to what software systems and data, and having a data retention timeline and destruction policy. You can have different policies for different types of records (medical, personnel or financial), but you must have a policy and stick to it and enforce it; otherwise it’s no good. All policies should include records and data stored on mobile devices as well as on- and off-site. Even if it’s stored on a remote server or hosted by one of your vendors, it’s still your data, and you are ultimately responsible for it. Train your staff on the IG protocol, and make sure they follow it. Destroy/delete anything you aren’t required to maintain.
Ensure virus, malware and spyware software is enabled and up to date. Establish robust firewalls and security protocols, including password-protecting internal networks and using VPNs and SSL encryption for transmission of data. Secure networks should only be accessible by your staff and authorized business associates and contractors. Create guest networks for all others, and don’t give them access to your secure network. Also, prohibit and/or limit the number and type of personal mobile devices staff may use on company systems, such as portable hard drives, small flash memory drives (USB or thumb drives) and other mobile storage devices. Ensure your remote vendors have security policies and protocols in place that meet or exceed your own standards.
Manage your staff’s expectations up front. Prohibit the use of personal mobile devices for official business. Have an “unauthorized photo” and recording policy in place. Make sure your staff understands that if they use their personal device(s) for work-related functions and/or in violation of company policies, there is no longer an expectation of personal privacy attached to that device, and it will result in the device being re-classified as a “company” device and subject to search and/or seizure.
The CTO’s role is to monitor the organization’s technology and serve as a liaison to the organization’s vendors and legal counsel in the event of loss, breach, investigation or lawsuit. They don’t necessarily have to be the person who maintains your software and technology systems. You probably already have someone in your organization with knowledge or interest in technology – identify them and put them to work. If there is no one in your organization, identify an outside vendor who can oversee and support your technology.
An IRT provides a quick, effective, orderly and comprehensive response to data incidents, including viruses, hackers, break-ins, thefts, mobile technology loss and improper disclosures. The IRT should have delegated authority to act and take necessary steps to mitigate or resolve issues involving a breach, investigate suspected breaches, and report findings to management and the appropriate authorities. Who is on the IRT can be scaled to the size of the organization; but in general should be comprised of senior management, IT, legal, public relations, risk management and your insurance broker. For smaller organizations, many of the IRT tasks can (and probably should) be outsourced. IRT members should be designated in advance and should be trained in and know their role so they can act accordingly and immediately when the need arises.
This includes technology, legal and public relations experts. Last minute contracts almost always cost more money. Select vendors in advance so they can become familiar with your business and can react and respond more appropriately when the time comes. The last thing you want to or should be doing in the midst of a crisis is try to locate someone who can help you investigate, secure, retrieve and preserve data and information.
Without proper staff training, you might as well not bother to putt all of the systems, policies, procedures and controls in place.
Your staff can’t be expected to comply with things they know nothing about. So train them! Teach them about the policies regarding using (or not using) their own personal devices at work; how to report suspicious or inappropriate activity on or the loss or theft of a mobile device and to whom; how long records must be kept for and what the exceptions to those rules are; and any other rules, policies, procedures, protocols, and controls surrounding the collection, maintenance, retention, and destruction of organizational data, information, and technology. Without proper staff training you might as well not even bother putting all of the systems, policies, procedures and controls in place.
We aren’t talking about hiring a big accounting firm to come in and perform “formal” audits. But you do need to perform regular monitoring and testing of the systems, policies and controls you have put in place. This means doing a walk-through once a quarter (or some other reasonable time frame). Walk around the building and observe; make sure people are following the plans, policies, systems and controls you have put in place. Visit with your outside vendors, and verify they’re complying with your policies surrounding your data as well. This alone will go a long way toward reducing risk.
If all of this sounds terribly expensive and complicated, you’re right. The fact is, whether large or small, your organization will be held to the same standards as mega companies with mega-budgets when it comes to data security. The process can be long and daunting, but the important part is beginning somewhere. Because sticking your head in the sand and doing nothing will only end up costing more money and creating more problems in the long run. The good news is, there are ways to do things to scale that will still reduce your risk. So, now is the time to prepare your organization, because technology – especially mobile technology – and its inherent risks aren’t going to go away.
This article scratches only the surface. Be sure to consult with an attorney and a health information technology consultant to review your organization's specific needs and obtain appropriate advice on these and related issues.